Notifications
Clear all
Topic starter
08/06/2026 4:54 pm
TL;DR: Weak visibility leaves least privilege unenforceable in practice: analysis of 225 companies found 85% of privileged credentials, nearly 1 in 3 users with access, and 15% of accessible resources went unused over 90 days, according to StrongDM. The governance problem is no longer whether least privilege is sound, but whether identity teams can measure real usage fast enough to remove standing risk.
NHIMG editorial — based on content published by StrongDM: 3 Reasons Why Least Privilege Has Failed
By the numbers:
- 85% of credentials with privileges have not been used in the last 90 days.
- Nearly 1 in 3 users with access to systems have not used that access in the last 90 days.
- 15% of resources available have not been accessed in the last 90 days.
Questions worth separating out
Q: How should security teams remove unused privileged access without breaking operations?
A: Start with accounts that have not been used in 90 days, then validate business owners before revoking anything that still supports production workflows.
Q: Why does least privilege fail in modern infrastructure environments?
A: It fails because entitlement is easier to assign than to verify, and many teams lack enough usage telemetry to prove which permissions are still needed.
Q: What do security teams get wrong about over-provisioned access?
A: They often treat over-provisioning as a one-time cleanup problem instead of a continuous governance signal.
Practitioner guidance
- Correlate entitlement with actual usage Compare privileged account assignments against 90-day usage data so dormant access can be challenged, justified, or removed.
- Retire unused privileged credentials Deprovision elevated credentials that have no verified business use and replace permanent access with task-scoped alternatives where operationally possible.
- Review over-provisioned users by system reach Map who can reach which databases, servers, and cloud resources, then remove inherited access that no longer matches current job function or operational need.
What's in the full article
StrongDM's full blog covers the operational detail this post intentionally leaves for the source:
- How the 225-company analysis separated unused privileges, over-provisioned users, and unused resources
- The access-usage measurement approach behind the 90-day visibility findings
- StrongDM's practical framing for moving from least privilege toward zero standing privilege
- How the article ties access visibility to cost reduction as well as security
👉 Read StrongDM's analysis of why least privilege has failed →
Least privilege and unused access: what IAM teams are missing?
Explore further
08/06/2026 6:48 pm
Visibility is the real control plane for least privilege. Least privilege does not fail because the principle is wrong. It fails because organisations cannot continuously prove which privileges are active, which are dormant, and which are no longer justified. Without usage visibility, access reviews become ceremonial and deprovisioning becomes reactive. The practitioner conclusion is that least privilege is only enforceable when entitlement can be reconciled to real use.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- A separate finding from the same survey shows that 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments.
A question worth separating out:
Q: How do you know if privileged access governance is working?
A: You should see fewer dormant credentials, fewer users with unused access, and a shrinking set of reachable resources that no longer support live work. If those numbers do not decline over time, the programme is documenting access rather than reducing it. Effective governance produces measurable removal, not just approval records.
👉 Read our full editorial: Least privilege has failed because visibility still lags access
